Form validation using model data?
59 views
Skip to first unread message
Paul
Jul 29, 2012, 5:47:35 PM7/29/12
to django...@googlegroups.com
I have a model for Websites that has 3 fields: name, url and authenticated. With a form both the name and url can be changed, but when the website is authenticated i don't want to allow that the url changes.
I'm thinking about making the url (form) field readonly but in html the field becomes still an input field (just with readonly="True"), so i have doubts whether hackers will be able to post a changed value anyhow (i'll need to test this).
Another approach is to add some custom form validation against the (current) model, but i have doubts whether validation is the solution for this?
Thanks for any directions
Paul
Kurtis Mullins
Jul 29, 2012, 6:00:48 PM7/29/12
to django...@googlegroups.com
Just to get some more information about the problem; Do you allow your users to initially insert the Name+URL? When does this become "authenticated"?
Maybe you could have two forms. One that allows users to add new Name+URL Objects (not sure what your object/Model is called) and another to allow them to edit (Using Django's 'fields' meta attribute to limit them to only modify the "Name" of the object)
Maybe you could have two forms. One that allows users to add new Name+URL Objects (not sure what your object/Model is called) and another to allow them to edit (Using Django's 'fields' meta attribute to limit them to only modify the "Name" of the object)
Paul--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/urE06kkuNBIJ.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Paul
Jul 30, 2012, 5:00:38 PM7/30/12
to django...@googlegroups.com
That would be an option as well indeed. In fact i have 1 (base)-form for the model that i subclass for create, read and update operations. The difference is that create and update have a submit button, read doesn't, and in the read view, the fields are read-only.
Op maandag 30 juli 2012 00:00:48 UTC+2 schreef Kurtis het volgende:
The website becomes authenticated using a background process, the idea is that as soon as it becomes authenticated the url cannot be changed any more.
I have tested with readonly=True which works correctly apart from the fact that i don't think it's safe to only make the field readonly, i want to add some logic in the post-logic as well (so for example using custom validation).
A simpler alternative is to remove the 'update' button altogether, but also in this case the view should also throw a 404 or 500 just in case someone manually modifies the url.... (which is by the way very easy to do so).
Paul
Op maandag 30 juli 2012 00:00:48 UTC+2 schreef Kurtis het volgende:
Just to get some more information about the problem; Do you allow your users to initially insert the Name+URL? When does this become "authenticated"?
Maybe you could have two forms. One that allows users to add new Name+URL Objects (not sure what your object/Model is called) and another to allow them to edit (Using Django's 'fields' meta attribute to limit them to only modify the "Name" of the object)
On Sun, Jul 29, 2012 at 5:47 PM, Paul wrote:
I have a model for Websites that has 3 fields: name, url and authenticated. With a form both the name and url can be changed, but when the website is authenticated i don't want to allow that the url changes.I'm thinking about making the url (form) field readonly but in html the field becomes still an input field (just with readonly="True"), so i have doubts whether hackers will be able to post a changed value anyhow (i'll need to test this).Another approach is to add some custom form validation against the (current) model, but i have doubts whether validation is the solution for this?Thanks for any directions
Paul--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/urE06kkuNBIJ.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
Kurtis Mullins
Jul 31, 2012, 2:07:07 PM7/31/12
to django...@googlegroups.com
ahh okay,
then I simply create two model forms.
class CreateURLForm(ModelForm):
class Meta:
fields = ('url', 'name') # This will restrict the user to only modifying this data
model = URLModel # Or whatever your model is called
class UpdateURLForm(ModelForm):
class Meta:
fields = ('name',) # Restrict user only to modifying the name
model = URLModel
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/xn9xV2ukteUJ.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages